Skip directly to content

Feed aggregator

LABjs - Less Critical - Open Redirect - SA-CONTRIB-2015-159

Drupal Contrib Security Announcements - Wed, 10/21/2015 - 16:36
Description

The LABjs module integrates LABjs with Drupal for web performance optimization.

The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-004).

Only sites with the Overlay module enabled are vulnerable.

An incomplete fix for this issue was released in SA-CONTRIB-2015-124.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • LABjs 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed LABjs module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the LABjs module for Drupal 7.x, upgrade to LABjs 7.x-1.8

Also see the LABjs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-158

Drupal Contrib Security Announcements - Wed, 10/21/2015 - 16:34
Description

The jQuery Update module enables you to update jQuery on your site.

The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack (see SA-CORE-2015-004).

Only sites with the Overlay module enabled are vulnerable.

An incomplete fix for this issue was released in SA-CONTRIB-2015-123.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • jQuery Update 7.x-2.x versions prior to 7.x-2.7

Drupal core is not affected. If you do not use the contributed jQuery Update module, there is nothing you need to do.

Solution

Install the latest version:

Also see the jQuery Update project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Twilio - Moderately Critical - Access bypass - SA-CONTRIB-2015-157

Drupal Contrib Security Announcements - Wed, 10/14/2015 - 20:56
Description

This module provides hooks and rules integration to leverage the Twilio API to send/receive phone calls and text messages.

The module relies on existing permissions for providing administration which can lead to untrusted users having access to perform actions that may not be intended.

This vulnerability is mitigated by the fact that an attacker must have access to a session with the role that has the permission "access administration pages".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Twilio 7.x-1.x versions prior to 7.x-1.11

Drupal core is not affected. If you do not use the contributed Twilio module, there is nothing you need to do.

Solution

Install the latest version:

Grant the permission "administer twilio" to any roles that should be able to administer the Twilio module.

Also see the Twilio project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Colorbox - Access bypass - Less Critical - SA-CONTRIB-2015-156

Drupal Contrib Security Announcements - Wed, 10/07/2015 - 16:16
Description

This module allows for integration of Colorbox, a jQuery lightbox plugin, into Drupal.

The module allows unprivileged users to add unexpected content to a Colorbox, including content from external sites. This allows an unprivileged user to deface a site.

This vulnerability is mitigated by the fact that an attacker must have permission to post comments with a text format that allows links.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Colorbox 7.x-2.x versions prior to 7.x-2.10.

Drupal core is not affected. If you do not use the contributed Colorbox module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Colorbox project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Entity Registration - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-155

Drupal Contrib Security Announcements - Wed, 10/07/2015 - 15:47
Description

This module enables you to manage registrations for events.

The module doesn't sufficiently protect information about who is registered to attend specific events when anonymous users are granted a permission that is commonly recommended when allowing anonymous registrations.

This vulnerability is mitigated by the fact that anonymous users must have the permission "Register other accounts."

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Entity Registration 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Entity Registration module, there is nothing you need to do.

Solution

Install the latest version:

Note on releases: the security bug was fixed in the 7.x-1.5 release, however that release included many other bug fixes and features. The 7.x-1.6 release is intended to fix a critical, non-security bug in the 7.x-1.5 release.

Update permissions configuration:

  • Remove the "Register other accounts" permission for anonymous users or other unprivileged roles
  • If needed, add the "Register Self" permission for anonymous users and other unprivileged roles

Also see the Entity Registration project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

Stickynote - Cross Site Scripting (XSS) - Moderately Critical - SA-CONTRIB-2015-154

Drupal Contrib Security Announcements - Wed, 10/07/2015 - 15:40
Description

This module enables you to create notes on a page inside a block.

The module doesn't sufficiently sanitize the note text on the admin listing page.

This vulnerability is mitigated by the fact that an attacker must have a role with a permission to create or edit a stickynote.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Stickynote 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed stickynote module, there is nothing you need to do.

Solution

Install the latest version.

Also see the stickynote project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Taxonomy Find - Unsupported - SA-CONTRIB-2015-153

Drupal Contrib Security Announcements - Wed, 09/30/2015 - 20:16
Description

This module enables you to add a simple search interface to lookup taxonomy terms by name.

The module doesn't sufficiently sanitize output of taxonomy vocabulary names and term names.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer vocabularies and terms" or the ability to add or edit nodes or entities with taxonomy fields attached.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • MODULE 6.x-2.x versions up to 6.x-1.2.
  • MODULE 7.x-2.x versions up to 7.x-1.0.

Drupal core is not affected. If you do not use the contributed Taxonomy Find module, there is nothing you need to do.

Solution

If you use the Taxonomy Find module you should uninstall it.

Also see the Taxonomy Find project page.

Reported by
  • Matt Vance provisional member of the Drupal Security Team
Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

User Dashboard - SQL Injection - Critical - SA-CONTRIB-2015-152

Drupal Contrib Security Announcements - Wed, 09/30/2015 - 20:13
Description

Module contains SQL Injection vulnerabilities.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • user_dashboard 7.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed UserDashboard module, there is nothing you need to do.

Solution

Install the latest version.

  • If you use the User Dashboard module for Drupal 7.x, upgrade to 7.x-1.4

Also see the UserDashboard project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Scald - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-151

Drupal Contrib Security Announcements - Wed, 09/16/2015 - 15:57
Description

This module enables you to easily manage your media assets and re-use them in all your content.

The module provided a "debug" context that gave access to all the atom properties, including all the fields attached to this atom, without applying the corresponding field restrictions.

This vulnerability is mitigated by the fact that only sites that added fields to an atom type and then restricted access to those fields are vulnerable.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Scald 7.x-1.x versions prior to 7.x-1.5.

Drupal core is not affected. If you do not use the contributed Scald: Media Management made easy module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Scald module for Drupal 7.x, upgrade to Scald 7.x-1.5

Also see the Scald: Media Management made easy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

CMS Updater - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-150

Drupal Contrib Security Announcements - Wed, 09/16/2015 - 15:05
Description

CMS Updater allows to update Drupal core automatically with a subscription service.

Access bypass
The module does not sufficiently protect the settings page allowing any user with the permission "access administration pages" to change settings.

This vulnerability is mitigated by the fact that an attacker must have the "access administration pages" permission on the site.

Cross Site Scripting (XSS)
The module does not sanitize user provided text on the configuration page thereby exposing a cross site scripting vulnerability.

There are no mitigating factors for the cross site scripting.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • CMS Updater 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed CMS Updater module, there is nothing you need to do.

Solution

Install the latest version:

Also see the CMS Updater project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

amoCRM - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-149

Drupal Contrib Security Announcements - Wed, 09/16/2015 - 14:55
Description

This module enables you to integrate with amoCRM service using webhooks.

The module does not sufficiently sanitize the logged data when malicious POST data is received.

This vulnerability is mitigated by the fact that a module such "Database logging" (dblog) must be enabled which displays log messages in a HTML context.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • amoCRM 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed amoCRM module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the amoCRM module for Drupal 7.x, upgrade to amoCRM 7.x-1.2

Also see the amoCRM project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Drupal 7 driver for SQL Server and SQL Azure - Moderately Critical - SQL Injection - SA-CONTRIB-2015-148

Drupal Contrib Security Announcements - Wed, 09/16/2015 - 14:38
Description

Drupal 7 driver for SQL Server and SQL Azure module has a SQL injection vulnerability.

Certain characters aren't properly escaped by the Drupal database API. A malicious user may be able to access restricted information by performing a specially-crafted search.

Only sites that use contrib or custom modules which rely on the db_like() function may be affected.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed Drupal 7 driver for SQL Server and SQL Azure module, there is nothing you need to do.

Solution

Install the latest version:

Although a 7.x-1.4 version has been released the 7.x-1.x branch is currently unsupported and not maintained.

Also see the Drupal 7 driver for SQL Server and SQL Azure project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

RESTful - Moderately Critical - Access bypass - SA-CONTRIB-2015-147

Drupal Contrib Security Announcements - Wed, 09/09/2015 - 18:18
Description

This module enables you to expose your Drupal backend by generating a RESTful API.

The module doesn't sufficiently account for core's page cache generation for anonymous users, when using non-cookie authentication providers. Authenticated users, via one of the authentication providers, can have their pages cached as anonymous users, and therefore allowing access to potentially restricted information during subsequent anonymous requests.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • RESTful 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed RESTful module, there is nothing you need to do.

Solution

Install the latest version:

Also see the RESTful project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Twitter - Moderately Critical - Access bypass - SA-CONTRIB-2015-146

Drupal Contrib Security Announcements - Wed, 09/09/2015 - 17:09
Description

This module enables you to pull in public tweets from Twitter accounts, post messages to Twitter to announce content changes, and authenticate using Twitter.

The module doesn't sufficiently check for access when using the Twitter Post submodule to post messages to Twitter and allows a tweet to be posted to any authenticated account, not just one that the user owns.

The module also doesn't sufficiently check for access when listing a user's connected Twitter accounts, allowing any user to change the options for any other account, including deleting the attached Twitter account.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "post to twitter" in order to post to Twitter, and have either the permission "add twitter accounts" or "add authenticated twitter accounts" in order to access the accounts list.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Twitter 6.x-5.x versions prior to 6.x-5.2.
  • Twitter 7.x-5.x versions prior to 7.x-5.9.
  • Twitter 7.x-6.x versions prior to 7.x-6.0.

Drupal core is not affected. If you do not use the contributed Twitter module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Twitter 5.x module for Drupal 6.x, upgrade to Twitter 6.x-5.2 or later.
  • If you use the Twitter 5.x module for Drupal 7.x, upgrade to Twitter 7.x-5.9 or later.
  • If you use the Twitter 6.x module for Drupal 7.x, upgrade to Twitter 7.x-6.0 or later.

Also see the Twitter project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Fieldable Panels Panes - Less Critical - Access bypass - SA-CONTRIB-2015-145

Drupal Contrib Security Announcements - Wed, 09/02/2015 - 17:50
Description

Fieldable Panels Panes enables you to create custom panes for embedding in Panels-based displays (Page Manager, Panelizer, Panels Everywhere) via a fieldable custom entity type.

The module doesn't sufficiently check for permission to edit existing Fieldable Panels Panes entities, thus allowing someone to modify a pane they don't have permission to edit.

This vulnerability is mitigated by the fact that an attacker must have a role with the necessary permissions to edit a panels display that has a custom pane, and it's uncommon that someone is given access to this functionality and not also permission to edit the panes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Fieldable Panels Panes (FPP) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Mass Contact - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-144

Drupal Contrib Security Announcements - Wed, 09/02/2015 - 17:12
Description

This module allows anyone with permission to send a single message to multiple users of a site, using the site's roles and/or taxonomy functionality.

The module doesn't sufficiently sanitize the category labels when they are displayed.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mass contact".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mass Contact 6.x-1.x versions prior to 6.x-1.6.
  • Mass Contact 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Mass Contact module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Mass Contact project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Zendesk Feedback Tab - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-143

Drupal Contrib Security Announcements - Wed, 09/02/2015 - 15:24
Description

This module enables you to easily integrate the Zendesk Support Tab on your Drupal website.

The module allows Javascript code to be embedded via its administration interface, allowing for the potential of cross-site scripting attacks. The module did not properly indicate that site administrators should restrict access to that permission to only trusted users.

This vulnerability is mitigated by the fact that an attacker must have a role with the Configure Zendesk Feedback Tab permission.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Zendesk Feedback Tab 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Zendesk Feedback Tab module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Zendesk Feedback Tab project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Spotlight - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-142

Drupal Contrib Security Announcements - Tue, 09/01/2015 - 20:16
Description

The Spotlight module provides a tool that mimics Mac OS X Spotlight functionality. It provides faster access to content, paths and uploaded files.

The module doesn't sufficiently sanitize node titles when displayed in results.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Spotlight 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Spotlight module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Spotlight project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141

Drupal Contrib Security Announcements - Wed, 08/19/2015 - 20:28
Description Cross Site Scripting (XSS)

Ctools in Drupal 6 provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Entityreference. Many features introduced in Drupal Core once lived in ctools.

This vulnerability can be mitigated by the fact that ctools must load its javascript on the page and the user has access to submit data through a form (such as a comment or node) that allows 'a' tags.

This patch is a backport for SA-CORE-2015-003.

Access bypass

This module provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Features.

The module doesn't sufficiently verify the "edit" permission for the "content type" plugins that are used on Panels and similar systems to place content and functionality on a page.

This vulnerability is mitigated by the fact that the user must have access to edit a display via a Panels display system, e.g. via Panels pages, Mini Panels, Panel Nodes, Panelizer displays, IPE, Panels Everywhere, etc. Furthermore, either a contributed module provides a CTools content type plugin, or a custom plugin must be written that inherits permissions from another plugin and must have a different permission defined; if no "edit" permission is set up for the child object CTools did not check the permissions of the parent object. One potential scenario would allow people who did not have edit access to Fieldable Panels Panes panes, which were specifically set to not be reusable, to edit them despite the person's lack of access.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

Cross Site Scripting:

  • ctools 6.x-1.x versions prior to 6.x-1.14.

Access bypass:

  • ctools 6.x-1.x versions prior to 6.x-1.14.
  • ctools 7.x-1.x versions prior to 7.x-1.8.

Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Chaos tool suite (ctools) project page.

Reported by

Cross Site Scripting:

Access bypass:

Fixed by

Cross Site Scripting:

Access bypass:

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003

Drupal Core Security Announcements - Wed, 08/19/2015 - 19:27

This security advisory fixes multiple vulnerabilities. See below for a list.

Cross-site Scripting - Ajax system - Drupal 7

A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax() on a whitelisted HTML element.

This vulnerability is mitigated on sites that do not allow untrusted users to enter HTML.

Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed Ctools module: SA-CONTRIB-2015-141.

Cross-site Scripting - Autocomplete system - Drupal 6 and 7

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.

This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.

SQL Injection - Database API - Drupal 7

A vulnerability was found in the SQL comment filtering system which could allow a user with elevated permissions to inject malicious code in SQL comments.

This vulnerability is mitigated by the fact that only one contributed module that the security team found uses the comment filtering system in a way that would trigger the vulnerability. That module requires you to have a very high level of access in order to perform the attack.

Cross-site Request Forgery - Form API - Drupal 6 and 7

A vulnerability was discovered in Drupal's form API that could allow file upload value callbacks to run with untrusted input, due to form token validation not being performed early enough. This vulnerability could allow a malicious user to upload files to the site under another user's account.

This vulnerability is mitigated by the fact that the uploaded files would be temporary, and Drupal normally deletes temporary files automatically after 6 hours.

Information Disclosure in Menu Links - Access system - Drupal 6 and 7

Users without the "access content" permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to.

CVE identifier(s) issued
  • CVE identifiers have been requested and will be added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.37
  • Drupal core 7.x versions prior to 7.39
Solution

Install the latest version:

Also see the Drupal core project page.

Credits Cross-site Scripting - Ajax system - Drupal 7 Reported by Fixed by Cross-site Scripting - Autocomplete system - Drupal 6 and 7 Reported by Fixed by SQL Injection - Database API - Drupal 7 Reported by Fixed by Cross-site Request Forgery - Form API - Drupal 6 and 7 Reported by Fixed by Information Disclosure in Menu Links - Access system - Drupal 6 and 7 Reported by Fixed by Coordinated by
  • Alex Bronstein, Angie Byron, Michael Hess, Pere Orga, David Rothstein and Peter Wolanin of the The Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

Pages